Creating a User in Domain

Posted: January 10, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,

Problem

You want to create a user object.

Solution

Using a graphical user interface
  1. Open the ADUC snap-in.
  2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
  3. In the left pane, browse to and select the container where the new user should be located and select New User.
  4. Enter the values for the first name, last name, full name, and user logon name fields as appropriate and click Next.
  5. Enter and confirm password, set any of the password flags, and click Next.
  6. Click Finish.
Using a command-line interface

You can create a user with the built-in DSAdd utility or by using AdMod. Using DSAdd requires the following syntax:

        > dsadd user "<UserDN>" -upn <UserUPN> -fn "<UserFirstName>"
        -ln "<UserLastName>" -display "<UserDisplayName>" -pwd <UserPasswd>

To create a user account with AdMod, use the following syntax:

        > admod b "<UserDN>" add objectClass::user
           sAMAccountName::<SAMAccount> unicodepwd::<password> userAccountControl::512
        kerbenc
Using VBScript
        ' Taken from ADS_USER_FLAG_ENUM
        Const ADS_UF_NORMAL_ACCOUNT = 512

        set objParent = GetObject("LDAP://<ParentDN>")
        set objUser = objParent.Create("user", "cn=<UserName>") ' e.g. joes
        objUser.Put "sAMAccountName", "<UserName>"   ' e.g. joes
        objUser.Put "userPrincipalName", "<UserUPN>" ' e.g. joes@rallencorp.com
objUser.Put "givenName", "<UserFirstName>"       ' e.g. Joe
        objUser.Put "sn", "<UserLastName>"           ' e.g. Smith
        objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g. Joe Smith
        objUser.SetInfo
        objUser.SetPassword("<Password>")
        objUser.AccountDisabled = FALSE
        objUser.SetInfo
        objUser.Put " 
userAccountControl", ADS_UF_NORMAL_ACCOUNT
        objUser.SetInfo

Discussion

The only mandatory attribute that must be set when creating a user is sAMAccountName, which is the account name that is used to interoperate with downlevel domainsand even this attribute is only mandatory in Windows Server 2003. To make the account immediately available for a user to use, you’ll need to make sure the account is enabled, which is accomplished by setting userAccountControl to 512 after you’ve set a password that follows any password complexity rules in place for the domain (order is important in this case).If you only set the sAMAccountName when creating a user object, the account will be disabled by default.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s